Pegasi Wiki

This wiki acts as a memo for our own work so why not share them? Feel free to browse and use out notes and leave a note while at it.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos6_ldap [2013/01/09 16:52]
Pekka Kuronen
centos6_ldap [2017/11/06 10:11]
Line 1: Line 1:
-===== CentOS 6 LDAP authentication and NFS V4 ===== 
  
-==== LDAP and sssd ==== 
- 
----- 
- 
-LDAP authentication has changed from earleier CentOS. Now all you need is sssd and an LDAP server like openLDAP or Novell eDirectory I am using. 
- 
-This is short and sweet (or dirty?) list of things to make it work. I don't use tls so it required a bit customization. But if you use encryption you might get off by just configuring it with system-config-authentication. If not then read on. 
- 
-  * See that you don't have nslcd or nss-pam-ldapd to mess with you 
- 
-<​code>​ 
-yum erase nss-pam-ldapd nslcd 
-</​code>​ 
- 
-  * Make basic ldap configuration in /​etc/​openldap/​ldap.conf 
- 
-<​code>​ 
-URI ldap://​yourldapserver/​ 
-BASE o=base 
-TLS_CACERTDIR /​etc/​openldap/​cacerts 
-</​code>​ 
- 
-  * Do the basic configuration with one command 
- 
-<​code>​ 
-authconfig --enablesssd --enablesssdauth --enablelocauthorize --update 
-</​code>​ 
- 
-  * Start of sssd is not necessary succesful since you may not have a working configuration as of now 
-  * And make your /​etc/​sssd/​sssd.conf look something like this (customize the rows marked) 
- 
-<​code>​ 
- 
-[sssd] 
-config_file_version = 2 
-services = nss, pam 
-domains = default 
- 
-[nss] 
-filter_users = root,​bin,​postfix,​ldap,​avahi,​haldaemon,​dbus,​nscd 
-enum_cache_timeout = 3600 
- 
-[domain/​default] 
-cache_credentials = True 
-id_provider = ldap 
-auth_provider = ldap 
-chpass_provider = ldap 
- 
-#eDirectory ldap, long timeouts 
-ldap_tls_reqcert = never 
-ldap_schema = rfc2307bis 
-ldap_search_base = o=pegasi 
-ldap_uri = ldaps://​ldap.company.com:​636/​ 
-ldap_access_filter = objectclass=posixaccount 
-ldap_tls_cacert = /​etc/​openldap/​cacerts/​myca.b64 
-ldap_user_member_of = groupMembership 
-entry_cache_timeout = 14400 
-entry_cache_user_timeout = 14400 
-entry_cache_group_timeout = 14400 
-ldap_enumeration_refresh_timeout = 1200 
-ldap_purge_cache_timeout = 21600 
- 
-ldap_default_bind_dn = cn=ldapuser,​ou=xxx,​o=system 
-ldap_default_authtok_type = password 
-ldap_default_authtok = MyComplexPasswordX,​Y.Z-123 
- 
-[pam] 
- 
-</​code>​ 
- 
-  * Open /​etc/​sysconfig/​authconfig and edit 
- 
-<​code>​ 
-FORCELEGACY=yes 
-</​code>​ 
- 
-  * Edit /​etc/​nsswitch.conf 
- 
-<​code>​ 
-passwd: ​    files sss 
-shadow: ​    files sss 
-group: ​     files sss 
-</​code>​ 
- 
-  * Restart and test 
- 
-<​code>​ 
-/​etc/​init.d/​sssd restart 
-id some_login 
-</​code>​ 
- 
-==== NFS V4 ==== 
- 
-After competing the above we set up NFS V4. 
- 
-== Things to do in both server and clients == 
- 
----- 
- 
-  * Edit the configuration file /​etc/​idmapd.conf to common domain 
- 
-<​code>​ 
-Domain = yourdomain 
-</​code>​ 
- 
-  * To prevent future headaces, include static mappings for all users not in LDAP 
- 
-<​code>​ 
-Method = nsswitch,​static 
-</​code>​ 
- 
-<​code>​ 
-[Static] 
-apache@yourdomain = apache 
-</​code>​ 
- 
-== Things to do in server == 
- 
----- 
- 
-  * Add your shares to /​etc/​exports 
- 
-<​code>​ 
-/​mnt/​homedirs ​  ​192.168.1.0/​24(rw,​sync,​no_root_squash,​no_all_squash) 
-</​code>​ 
- 
-  * Restart and enable services 
- 
-<​code>​ 
-/​etc/​rc.d/​init.d/​rpcidmapd restart 
-/​etc/​rc.d/​init.d/​rpcbind restart 
-/​etc/​rc.d/​init.d/​nfslock restart 
-/​etc/​rc.d/​init.d/​nfs restart 
-chkconfig rpcidmapd on 
-chkconfig rpcbind on 
-chkconfig rpcidmapd on 
-chkconfig rpcidmapd on 
-</​code>​ 
- 
-  * Check that the services are allowed in /​etc/​hosts.allow 
-  * Check that iptables rules allow clients to mount 
- 
-== Things to do in clients == 
- 
----- 
- 
-  * Check that you have nfs-utils package 
-  * Check that your idmapd.conf is in order, look above 
-  * Put mountpoints to /etc/fstab 
- 
-<​code>​ 
-server:/​mnt/​home ​  /​net/​home ​  ​nfs4 ​  ​defaults,​_netdev ​  0 0 
-</​code>​ 
- 
-  * Enable and restart services 
- 
-<​code>​ 
-chkconfig rpcbind on 
-chkconfig rpcidmapd on 
-chkconfig nfslock on 
-chkconfig netfs on 
-/​etc/​rc.d/​init.d/​rpcbind start 
-/​etc/​rc.d/​init.d/​rpcidmapd start 
-/​etc/​rc.d/​init.d/​nfslock start 
-/​etc/​rc.d/​init.d/​netfs start 
-</​code>​ 
- 
-  * Mount and test 
- 
-<​code>​ 
-mount -a 
-</​code>​ 

  //check if we are running within the DokuWiki environment if (!defined("DOKU_INC")){ die(); } //place the needed HTML source codes BELOW this line